You may have heard about the security flaw that affects the entire Internet. It’s actually a problem with the software behind just about all domain name servers – DNS for short. A domain name server is a computer that acts like a phone book or switchboard operator that takes a web address – like cbs.com and translates it to an Internet Protocol (IP) address like 126.96.36.199. Since IP addresses are as hard to remember as phone numbers, none of us bother to use them. Instead we rely on the DNS servers to look them up for us.
But on July 8th, security researcher Dan Kaminsky found a flaw in the software used on most DNS servers that make it possible for a hacker to re-direct a DNS. If exploited, that flaw would allow a criminal to re-direct people to the wrong site. Imagine the scenario – you type the correct URL of your bank but instead of going to your real bank’s site you to a criminal’s site that looks just like it. You type in your user name and password and that information gets into the wrong hands. And don’t confuse this with phishing. A phishing attack tricks you into clicking on a link that takes you to a bogus site. If you were a victim of a DNS attack (sometimes called pharming) you could get to a bogus site even if you typed in the correct URL.
You can listen to my interview with Kaminsky on CBSNews.com
No need to panic
There is no need to panic or stop using the Internet. Kaminsky has been warning security professionals about this flaw for the last few weeks and most major Internet service providers have fixed their DNS servers to protect users. But not everyone has. There are thousands of DNS servers out there in companies and smaller ISPs that may not have been fixed. And, now that the word is out, there is a greater chance that hackers will attempt to exploit this flaw because more of them know about it.
You can find out if the company that provides your DNS server has a security flaw by using a DNS checker. There are three that I know of. Kaminsky has one on his blog, there’s another at DNS-OARC and one at the lower left corner of DNSstuff. If your system passes these tests, you’re OK.
If you’re not OK contact your ISP or, if you’re at work, your system administrator. Or you can bypass your ISP’s domain name server and use a free alternative. Kaminsky recommends opendns.com which allows you to use their domain name server instead of the one provided by your ISP. You can to spend a few minutes configuring your computer or router to work with opendns’s name server but there are clear instructions on that site. Because my ISP (Comcast) passed the tests, I didn’t bother changing mine and you shouldn’t either if your system tests out OK.
The good news about this is that the problem is being fixed around the globe. Next week Kaminsky heads to Las Vegas for a security conference where he plans to lay out more details to help experts fix their own servers and prevent these attacks in the future.